storm.dll ordinals?

brew · December 03, 2007, 06:39 PM

Does anyone know how or where to get an updated list of storm exported function names and their ordinals? The one he posted a while back is lacking 493 among others. I tried to find it myself, but I am unable to locate the exports section, or maybe I did, but it's compressed:

Quote
PKWARE Data Compression Library for Win32
Copyright 1989-1995 PKWARE Inc. All Rights Reserved
Patent No. 5,051,745
PKWARE Data Compression Library Reg. U.S. Pat. and Tm. Off.

Dale · December 03, 2007, 07:31 PM

Code Select


**note - these are all __stdcall unless otherwise noted

102    SNetDestroy()
117    SNetInitializePRovider()
119    SNetLeaveGame()
120    SNetPerformUpgrade(int)
122    SNetReceiveTurns(void **,int,int,int,int);
123    SNetRegisterEventHandler()

132    int __fastcall  0CDebugSCritSect(LPCRITICAL_SECTION lpCriticalSection)
141        __thiscall  CDebugSRWLock::CDebugSRWLock(void)
142        __thiscall  CSRWLock::CSRWLock(void)
143        __thiscall  SCritSect::SCritSect(void)
144        __thiscall  SEvent::SEvent(BOOL bManualReset,BOOL bInitialState)
145        __thiscall  SSyncObject::SSyncObject(void)
146        __thiscall  CDebugSCritSect::~CDebugSCritSect(void)
147        __thiscall  CDebugSRWLock::~CDebugSRWLock(void)
148        __thiscall  CSRWLock::~CSRWLock(void)
149        __thiscall  SCritSect::~SCritSect(void)
152        __thiscall  SSyncObject::~SSyncObject(void)
153                    SFile::Close(SFile *)
154    int __fastcall  SThread::Create(unsigned int (__stdcall *)(void *),void *,class SThread &,char *)
155                    SFile::CreateOverlapped(SOVERLAPPED *)
156                    SFile::DestroyOverlapped(OVERLAPPED *)
157                    SFile::EnableHash(bool)
158    void __thiscall CDebugSCritSect::Enter(char const *,unsigned long)
159    void __thiscall CDebugSRWLock::Enter(int,char const *,unsigned long)
160    void __thiscall CSRWLock::Enter(int)
161    int             SCritSect::enter(void)
162                    SFile::FileExists(char const *)
163                    SFile::GetActualFileName(SFile *,char *,unsigned long)
164                    SFile::GetBasePath(char *,unsigned long)
165                    SFile::GetFileSize(SFile *,unsigned long)
166    void __thiscall CDebugSCritSect::Leave(char const *,unsigned long)
167    void __thiscall CDebugSRWLock::Leave(int,char const *,unsigned long)
168    void __thiscall CSRWLock::Leave(int)
169    int             SCritSect::leave(void)
170                    SFile::Load(SArchive *,char const *,void **,unsigned long *,unsigned long,unsigned long,SOVERLAPPED *)
171                    SFile::LoadFile(char const *,void **,unsigned long *,unsigned long, SOVERLAPPED *)
172                    SFile::Open(char const *,SFile **)
173                    SFile::PollOverlapped(SOVERLAPPED *)
174                    SFile::Read(class SFile *,void *,unsigned long,unsigned long *,struct SOVERLAPPED *,struct _TASYNCPARAMBLOCK *)
175    int __thiscall  SEvent::Reset(void)
176                    SFile::ResetOverlapped(SOVERLAPPED *)
177    int __fastcall  SCreateThread(unsigned int (__stdcall *)(void*),void*,unsigned int*,void*,char*);
188    int __thiscall  SEvent::Set(void)
189                    SFile::SetBasePath(char const *)
190                    SFile::SetFilePointer(SFile *,long,long*,unsigned long)
191                    SFile::Unload(void *)
193    int __stdcall          WaitMultiplePtr(BOOL bWaitAll,DWORD dwMilliseconds)
194                    SFile::WaitOverlapped(struct SOVERLAPPED *)192    int __stdcall Wait(DWORD dwMilliseconds)

251    SFileAuthenticateArchive(int,int)
252    SFileCloseArchive(HANDLE hArchive)
253    SFileCloseFile(HANDLE hFile)
262    SFileDestroy()
264    SFileGetFileArchive(HANDLE hFile,int)
265    SFileGetFileSize(HANDLE hFile, int *fileSizeHigh)
266    SFileOpenArchive(char *name, int flags, int, HANDLE *hArchive)
267    SFileOpenFile(int,int)
268    SFileOpenFileEx(HANDLE hArchive, char *fileName, int, HANDLE *hFile)
269    SFileReadFile(HANDLE hFile, void *buffer, int toRead, int *read, int)
270    SFileSetBasePath(int)
271    SFileSetFilePointer(HANDLE hFile, int filePos, int *filePosHigh, int method)
272    SFileSetLocale(__int16)
273    SFileGetBasePath(int,int)
275    SFileGetArchiveName(int,int,int)
276    SFileGetFileName(int,int,int)
299    SFileAuthenticateArchiveEx(int,int,int,LONG lDistanceToMove,int,DWORD NumberOfBytesRead)

301    StormDestroy

321    SBmpDecodeImage
323    SBmpLoadImage(int,int,int,int,int,int,int)
324    SBmpSaveImageSBmpSaveImage(int,int,int,int,int,int)
325    SBmpAllocLoadImage(char *filename,int,int,int,int,int,int,int)
326    SBmpSaveImageEx(char *str,int,int,int,DWORD NumberOfBytesWritten,int,LPCVOID lpBuffer)

331    SCodeCompile(char *src,int,int,int,int,int)
332    SCodeDelete()
335    SCodeGetPseudocode(int,int,int)

341     SDrawVidDriverInitialize()
342     SDrawCaptureScreen(char *path);
343     SDrawShowCursor (?)
344     SDrawDestroy()

372     SEvtDispatch()
373     SEvtRegisterHandler()
375     SEvtUnregisterType

382     SGdi1
383     SGdi2
392     SGdi4

401 void *__stdcall SMemAlloc(int amount,char *filename,int line,int defaultValue)
403                 SMemFree(int,int,int,int)
404                 SMemGetSize()
405                 SMemReAlloc(int,int,int,int,int);

421 int SRegLoadData(HKEY hKey,LPCSTR lpValueName,HKEY phkResult,LPBYTE lpData,int,DWORD Type);
423 int SRegQueryValue(char *key,char *value,BYTE flags,char *result)

434     STrans1
436     STrans2
437     STrans4
438     STrans3
439     STransLoadI(int,int,int,int);
440     STrans7
443     STrans5
447     STransLoadE(int,int,int,int);

451     SVidDestroy
453     SVidInitialize
454     SVidPlayBegin
455     SVidPlayBeginFromMemory
456     SVidPlayContinue
457     SVidPlayContinueSingle

461     SErrDisplayError(int,int,DWORD ExitCode,int,int,UINT uExitCode)
462     SErrGetErrorStr
463     SErrGetLastError
465     SErrSetLastError(DWORD dwErrCode)

475     ? - ProcessToken

481     SMemFindNextBlock()
482     SMemFindNextHeap()
483     SMemGetHeapByCaller()
484     SMemGetHeapByPtr()
485     SMemHeapAlloc()
486     SMemHeapCreate()
487     SMemHeapDestroy()
488     SMemHeapFree()
489     SMemHeapRealloc()
490     SMemHeapSize()
491 int SMemCpy(void *dest, void *src, int count)
494 int SMemZero(void *buf, int count)
497     SMemDumpState()

501 int   SStrNCpy(char *dst, char *src, int count)
502 DWORD SStrHash(LPCSTR String, BOOLEAN IsFilename, DWORD Seed)
501 int   SStrNCat(char *base, char *new, int max_length);
508 int   SStrCmp(char *str1,char *str2,size_t size);
509 int   SStrCmpI(char *str1,char *str2,size_t size);510    int SStrUpr(char *str)

Note - 569,571 and 570,572 are the same functions
569  char *__fastcall SStrChr(char *str,char c);
570  char *__fastcall SStrChrR(const char *str,char c);
571  char *__stdcall  SStrChr(char *str,char c);
572  char *__fastcall SStrChrR(const char *str,char c);
578                   SStrPrintf(char *str, size_t size, const char *format, ...);
579                   SStrLwr(char *str)

548     Add to log file (not sure about official name)

601    SBigAdd(int,int,int)
602    SBigAnd(int,int,int)
603    SBigCompare(BigBuffer buf1,BigBuffer buf2)
604    SBigCopy(int,int)
605    SBigDec(int,int)
606    SBigDel(BigBuffer buf)
607    SBigDiv(int,int,int)
608    SBigFindPrime(int,int,int,int)
609    SBigFromBinary(BigBuffer *,const void *str,unsigned int num)
610    SBigFromStr(int,int)
611    SBigFromStream(int,int,int,int)
612    SBigFromUnsigned(BigBuffer buf,unsigned int value)
613    SBigGcd(int,int,int)
614    SBigInc(int,int)
615    SBigInvMod(int,int,int)
616    SBigIsEven(BigBuffer buf)
617    SBigIsOdd(BigBuffer buf)
618    SBigIsOne(BigBuffer buf)
619    SBigIsPrime(BigBuffer buf)
620    SBigIsZero(BigBuffer buf)
621    SBigMod(int,int,int)
622    SBigMul(int,int,int)
623    SBigMulMod(int,int,int,int)
624    SBigNew(BigBuffer **Buffer)
625    SBigNot(int,int)
626    SBigOr(int,int,int)
627    SBigPow(int,int,int)
628    SBigPowMod(int,int,int,int)
629    SBigRand(int,int,int)
630    SBigSet2Exp(int,int)
631    SBigSetOne(BigBuffer *buf)
632    SBigSetZero(BigBuffer *buf)
633    SBigShl(int,int,int)
634    SBigShr(int,int,int)
635    SBigSquare(int,int)
636    SBigSub(int,int,int)
637    SBigToBinaryArray(int,int,int)
638    SBigToBinaryBuffer(int,int,int,int)
639    SBigToBinaryPtr(int,int,int)
640    SBigToStrArray(int,int)
641    SBigToStrBuffer(int,char *dst,int count)
642    SBigToStrPtr(int,int)
643    SBigToStreamArray(int,int,int)
644    SBigToStreamBuffer(int,int,int,int)
645    SBigToStreamPtr(int,int,int)
646    SBigToUnsigned(int,int)
647    SBigXor(int,int,int)

649    SSignatureVerifyStream_Begin(int)
648    SSignatureVerify(int,int,int,int)
650    SSignatureVerifyStream_ProvideData(int)
651    SSignatureVerifyStream_Finish(int)
652    SSignatureGenerate(int,int,int,int,int,int)
653    SSignatureVerifyStream_GetSignatureLength()

Thanks goes to iago, not myself.

brew · December 03, 2007, 08:07 PM

Quote from: brew on December 03, 2007, 06:39 PM
The one posted a while back is lacking 493 among others

Dale · December 03, 2007, 09:00 PM

That's lacking 493 of them?

Barabajagal · December 03, 2007, 09:15 PM

Ordinal #493, entry point 0x00022410.

warz · December 04, 2007, 01:32 AM

The question is... are the rest significant?

iago · December 04, 2007, 08:58 AM

As far as I know, my list (http://www.javaop.com/~ron/documents/Storm.txt) is the most complete one that's ever been posted. If you need others, ask me about my consultancy fees.

Barabajagal · December 04, 2007, 02:38 PM

Just wondering, but what's all the SBig stuff about?

brew · December 04, 2007, 03:04 PM

Quote from: Andy on December 04, 2007, 02:38 PM
Just wondering, but what's all the SBig stuff about?

Probably BigInteger arithmetic operations for something that requires big integers. (nls)

iago: What method did you use to find them in the first place? and what are the consultancy fees that you speak of?

Barabajagal · December 04, 2007, 03:33 PM

why would the variables be stored in "int" format, then? Are the integer values used as placeholders for the actual data?

brew · December 04, 2007, 04:36 PM

Quote from: Andy on December 04, 2007, 03:33 PM
why would the variables be stored in "int" format, then? Are the integer values used as placeholders for the actual data?

probably. My guess is that they'd be actually int pointers.
I'm still not sure about #493, but i think i have a good idea of what it does:

Code Select


19019DFA   85C0             TEST EAX,EAX
19019DFC   76 24            JBE SHORT battle.19019E22
19019DFE   3BF8             CMP EDI,EAX
19019E00   76 11            JBE SHORT battle.19019E13
19019E02   8BD7             MOV EDX,EDI
edi = globaldwordarray[5]
19019E04   2BD0             SUB EDX,EAX
19019E06   52               PUSH EDX
19019E07   03C6             ADD EAX,ESI
19019E09   50               PUSH EAX
19019E0A   56               PUSH ESI
19019E0B   E8 629EFEFF      CALL <JMP.&storm.#493>
19019E10   8B45 08          MOV EAX,DWORD PTR SS:[EBP+8]      
  //notice how eax isn't very important here
19019E13   2BF8             SUB EDI,EAX   //subtract the base addr of the warden crap ptr from edi, probably another length
19019E15   A1 18640419      MOV EAX,DWORD PTR DS:[19046418]    
 // that one global that points to a base address for the interesting dword array

Code Select


....
if (eax) { 
   if (edi >= eax) {
      storm493(esi, esi + eax, edx - eax);
      eax = wardendataptr;
      edi -= eax;
   }
}
....

esi is the dest.
esi + eax is the source.
edx - eax is the length.
it looks like it's a memmove, because it's copying over the lower memory address from a higher one (they look close), and to guarentee no corruption, it MUST be a memmove.
so this should be added to that ordinal listing:
493 int SMemMove(void *dest, void *src, int count)

iago · December 04, 2007, 07:36 PM

Quote from: brew on December 04, 2007, 03:04 PM
Quote from: Andy on December 04, 2007, 02:38 PM
Just wondering, but what's all the SBig stuff about?
Probably BigInteger arithmetic operations for something that requires big integers. (nls)

iago: What method did you use to find them in the first place? and what are the consultancy fees that you speak of?

Depends. In some cases I reverse engineered them, and in others I compared the normal storm.dll to the mac storm.dll (which has names), and found which functions call which other functions, and sometimes which functions do the same thing. You can figure out quite a lot from just those simple things without barely knowing assembly. But I think I got all the easy ones like that.

Quote from: Andy on December 04, 2007, 03:33 PM
why would the variables be stored in "int" format, then? Are the integer values used as placeholders for the actual data?

int is the default for ones I don't know, and I never bothered figuring out the parameters (knowing which function it was was sufficient for reversing NLS). But some of those will be ints, and most will likely be pointers to a BigInteger struct, whatever that looks like.

Barabajagal · December 04, 2007, 08:14 PM

Quote from: iago on December 04, 2007, 07:36 PM
Quote from: Andy on December 04, 2007, 03:33 PM
why would the variables be stored in "int" format, then? Are the integer values used as placeholders for the actual data?
int is the default for ones I don't know, and I never bothered figuring out the parameters (knowing which function it was was sufficient for reversing NLS). But some of those will be ints, and most will likely be pointers to a BigInteger struct, whatever that looks like.

Ya, Blake said they were most likely pointers. Maybe if I care enough some day, I'll add NLS handling to my little hashing DLL using Storm for BigInt.

iago · December 04, 2007, 08:40 PM

Quote from: Andy on December 04, 2007, 08:14 PM
Quote from: iago on December 04, 2007, 07:36 PM
Quote from: Andy on December 04, 2007, 03:33 PM
why would the variables be stored in "int" format, then? Are the integer values used as placeholders for the actual data?
int is the default for ones I don't know, and I never bothered figuring out the parameters (knowing which function it was was sufficient for reversing NLS). But some of those will be ints, and most will likely be pointers to a BigInteger struct, whatever that looks like.
Ya, Blake said they were most likely pointers. Maybe if I care enough some day, I'll add NLS handling to my little hashing DLL using Storm for BigInt.

I don't recommend using storm.dll for bigint stuff, it isn't the best library. There are several free ones if you look.

Barabajagal · December 04, 2007, 09:11 PM

The point would be that the user already has storm.dll...

storm.dll ordinals?

Barabajagal

warz

Barabajagal

Barabajagal

Barabajagal

Barabajagal